SUBLAKE is an AI-powered platform that gives service businesses four AI employees — a Receptionist, a Reputation Manager, an Office Manager, and a Marketing Manager — that run the front office 24/7. It includes a Smart CRM, unified inbox, and analytics, all bundled at a single flat rate.

How much does SUBLAKE cost?

SUBLAKE is one flat plan at $299/month per location. Every AI employee, every channel (calls, SMS, email, chat, social), the Smart CRM, and analytics are included. No tiers, no per-seat pricing, no add-ons. Every account starts with a 14-day free trial — no credit card required.

What does an AI employee actually do?

Each of the four AI employees owns a domain end-to-end. The Receptionist answers every inbound call, SMS, and chat 24/7 and books appointments directly into your calendar. The Reputation Manager replies to every Google and Yelp review and requests reviews from satisfied customers. The Office Manager owns your calendar — confirmations, reminders, no-show recovery, and lapsed-client outreach. The Marketing Manager drafts email and social campaigns in your brand voice and runs nurture sequences.

Which industries is SUBLAKE built for?

SUBLAKE is purpose-built for service businesses: home services (HVAC, plumbing, electrical, roofing), auto services (repair, body, detail, tire), beauty and wellness (salons, spas, fitness, med spas), healthcare (clinics, dental, chiropractic, veterinary), and legal and finance (law firms, accounting, financial advisors).

Is there a free trial?

Yes. SUBLAKE includes a 14-day free trial on every account. No credit card is required to start, and you can cancel before day fifteen for $0.

GDPR Compliance

Last updated: April 30, 2026

SUBLAKE is committed to full compliance with the General Data Protection Regulation (GDPR) and protecting the rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This page outlines our GDPR compliance framework, your rights as a data subject, and how we protect your personal data.

1. Our GDPR Commitment

As both a data controller (for data we collect directly) and a data processor (for data our customers store on our platform), we are committed to:

Processing personal data lawfully, fairly, and transparently
Collecting data only for specified, explicit, and legitimate purposes
Minimizing data collection to what is necessary for the stated purpose
Ensuring data accuracy and keeping it up to date
Retaining data only as long as necessary
Implementing appropriate technical and organizational security measures
Demonstrating compliance through documentation and impact assessments

2. Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

Processing Activity	Legal Basis
Providing the Service	Contract performance (Art. 6(1)(b))
Payment processing	Contract performance (Art. 6(1)(b))
AI-powered automation	Contract performance (Art. 6(1)(b))
Security monitoring	Legitimate interest (Art. 6(1)(f))
Analytics and improvement	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Tax and legal compliance	Legal obligation (Art. 6(1)(c))

3. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

Right of Access (Art. 15)

Obtain confirmation of whether we process your data and request a copy of it.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data without undue delay.

Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary for its original purpose.

Right to Restriction (Art. 18)

Request limitation of processing in certain circumstances (e.g., while verifying accuracy).

Right to Portability (Art. 20)

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling and direct marketing.

Right re: Automated Decisions (Art. 22)

Not be subject to decisions based solely on automated processing that significantly affect you.

We will respond to rights requests within 30 days. In complex cases or where there are many requests, this may be extended by an additional 60 days with prior notification.

4. Data Controller & Processor Roles

SUBLAKE acts in two capacities depending on the context:

As Data Controller: For personal data we collect directly from you (account information, usage data, marketing interactions). We determine the purposes and means of processing.
As Data Processor: For personal data that you (our customer) store on our platform (your contacts, customer communications, CRM data). You determine the purposes; we process on your instructions.

When we act as a data processor, you remain the data controller and are responsible for ensuring you have a lawful basis for processing the personal data of your own customers.

5. Data Processing Agreement

We offer a comprehensive Data Processing Agreement (DPA) to all customers as required by Article 28 of the GDPR. Our DPA includes:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data processed
Categories of data subjects
Obligations and rights of the controller
Standard Contractual Clauses (SCCs) for international transfers
Technical and organizational security measures (Annex II)
List of approved sub-processors (Annex III)

Read our DPA

SUBLAKE's standard Data Processing Agreement is published in full and applies automatically to every customer with EU/UK/Swiss data subjects.

View the Data Processing Agreement →

Need a counter-signed PDF for your records? Email contact@sublake.com.

6. Sub-Processors

We use the following sub-processors to provide our services. All are bound by data processing agreements that meet GDPR requirements:

Sub-Processor	Purpose	Location
Supabase	Database hosting and authentication	USA (AWS us-east-1)
Anthropic	AI processing (no data retention)	USA
Vercel	Frontend hosting	USA (Global CDN)
Railway	Backend hosting	USA
Stripe	Payment processing	USA/Ireland
Resend	Transactional email delivery	USA
Sentry	Error monitoring	USA

We will notify customers of any new sub-processors at least 30 days before they begin processing data. Customers may object to a new sub-processor as outlined in our DPA.

7. International Data Transfers

As our infrastructure is primarily located in the United States, personal data from EEA/UK residents may be transferred internationally. We ensure adequate protection through:

Standard Contractual Clauses (SCCs): We use the European Commission's latest SCCs (2021) with all sub-processors
Transfer Impact Assessments: Conducted for all international transfers to evaluate recipient country protections
Supplementary Measures: Additional technical safeguards (encryption, pseudonymization) where required
EU-US Data Privacy Framework: Where applicable, reliance on adequacy decisions

8. Technical & Organizational Measures

We implement comprehensive security measures as required by Article 32 of the GDPR:

Technical Measures

AES-256 encryption for data at rest; TLS 1.3 for data in transit
Row-level security (RLS) ensuring strict data isolation between tenants
Automated backups with point-in-time recovery capability
Regular vulnerability scanning and penetration testing
Intrusion detection and prevention systems
Web application firewall (WAF) protection

Organizational Measures

Access control policies with principle of least privilege
Employee security awareness training
Incident response procedures and documentation
Hosted on SOC 2 Type II certified cloud providers (AWS, Supabase, Railway)
Data protection impact assessments (DPIAs) for high-risk processing
Vendor security assessments for all sub-processors

9. Data Breach Notification

In the event of a personal data breach, we will:

Notify affected customers (data controllers) without undue delay and within 72 hours of becoming aware of the breach
Provide detailed information about the nature of the breach, categories of data affected, and remedial measures taken
Cooperate with customers in their obligations to notify supervisory authorities and affected individuals
Document all breaches, including those that do not meet the notification threshold, as part of our internal records

10. Data Protection Officer

For all GDPR-related inquiries, data subject requests, or to report a data protection concern, please contact our Data Protection Officer:

Data Protection Officer

SUBLAKE Holdings LLC
Email: contact@sublake.com
Subject line: "GDPR Request"

11. How to Exercise Your Rights

To exercise any of your rights under the GDPR:

Email us at contact@sublake.com with the subject "GDPR Rights Request"
Include your full name, email address associated with your account, and the specific right you wish to exercise
Verification: We may ask you to verify your identity before processing your request
Timeline: We will acknowledge receipt within 3 business days and fulfill your request within 30 days

There is no fee for exercising your rights. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You can file a complaint with:

The supervisory authority in your country of residence
The supervisory authority in the country where you work
The supervisory authority in the country where the alleged infringement occurred

We encourage you to contact us first so we can attempt to resolve any concerns directly. We take all privacy complaints seriously and will respond promptly.